AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,100 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example" published by Apress, and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Ubuntu 26.04 LTS: sudo-rs, APT Rollback, and Automating Resolute Raccoon

By Luca Berton · Published 2024-01-01 · Category: installation

Install and configure Ansible on Ubuntu 26.04 LTS Resolute Raccoon. Automate sudo-rs (Rust-based sudo), APT 3.2 transaction rollback, Wayland-only desktops, ROCm GPU compute, and Kernel 7.0 features with practical playbooks.

Ubuntu 26.04 LTS Changes That Affect Your Ansible Playbooks

Ubuntu 26.04 LTS "Resolute Raccoon" ships changes that matter to anyone managing Linux infrastructure with Ansible. Most posts about this release will focus on desktop polish. This one focuses on what changes for automation engineers.

The headline: sudo-rs is now the default sudo provider. Your become: true tasks still work, but the binary handling privilege escalation on every managed host is fundamentally different. Here's what you need to know and how to automate it.

Install Ansible on Ubuntu 26.04

Automate Control Node Setup

sudo-rs: The Change That Actually Matters

sudo is the binary that runs as root on every Linux machine you manage. It's been written in C since 1980. In the last few years it's had CVEs that allowed local privilege escalation — Baron Samedit (CVE-2021-3156) being the memorable one, with 10 years of unpatched exposure across most Linux distros.

sudo-rs is a full rewrite in Rust. Same /etc/sudoers config format. Same CLI interface. Drop-in replacement. The memory safety guarantees Rust provides matter specifically here — on the binary that handles privilege escalation.

This isn't experimental. sudo-rs passed a full security audit by Radically Open Security in 2023. The sudo-rs team (developed by Prossimo/ISRG, the people behind Let's Encrypt) worked directly with Todd C. Miller, the original sudo maintainer. Ubuntu 26.04 making it the default is the signal that it's production-ready.

What Changes for Ansible

The good news: nothing breaks. Ansible's become method calls sudo as a binary. sudo-rs provides the same binary interface. Your existing playbooks work without modification.

What you should validate:

Enforce sudo-rs Across Your Fleet

If you're managing a mixed fleet of Ubuntu versions and want to standardize on sudo-rs where available:

Harden sudoers Configuration

sudo-rs uses the same /etc/sudoers format, so your existing Ansible sudoers management works identically:

APT 3.2: Transaction Rollback

APT 3.2 in Ubuntu 26.04 introduces a transaction log with full rollback support. apt history-rollback undoes any package operation. This changes how you handle failed deployments and package management with Ansible.

Automate APT Rollback

APT Rollback for Kernel Updates

Kernel 7.0: What Matters for Automation

Ubuntu 26.04 ships Linux Kernel 7.0 with Intel TDX (Trust Domain Extensions) for confidential computing and broader hardware support.

Wayland-Only: X11 Is Gone

Ubuntu 26.04 removes X11 entirely. No more Xorg fallback session in GDM. If your Ansible playbooks install or configure X11 packages, they'll fail.

Update Display Testing in CI

If your Ansible molecule tests or CI pipelines use virtual displays:

ROCm: AMD GPU Compute as a One-Liner

Ubuntu 26.04 includes ROCm in the official repositories. No more third-party repo configuration.

ROCm vs Pre-26.04 Comparison

Ptyxis Terminal

Ubuntu 26.04 replaces GNOME Terminal with Ptyxis — GPU-accelerated, GTK4-native, with tabs that hold state. If your playbooks install or configure gnome-terminal, update them:

Complete Ubuntu 26.04 Base Image Playbook

For building hardened base images, sudo-rs and the APT rollback flow are the two things to validate first:

Ubuntu 26.04 Quick Reference

| Feature | What Changed | Ansible Impact | |---------|-------------|----------------| | sudo-rs | Rust-based sudo is default | become: true works unchanged; validate on fleet | | APT 3.2 | Transaction rollback via apt history-rollback | New rollback capability for safe deployments | | Kernel 7.0 | Intel TDX, broader hardware | New sysctl params, TDX module options | | Wayland-only | X11 completely removed | Remove Xorg tasks; update CI virtual displays | | ROCm in repos | apt install rocm | Remove manual repo configuration tasks | | Ptyxis | Replaces GNOME Terminal | Update desktop provisioning playbooks | | LTS until 2031 | 5 years standard, 10 with Pro | Long-term automation target |

FAQ

Does Ansible's become method work with sudo-rs?

Yes. Ansible calls sudo as a binary, and sudo-rs is a drop-in replacement with the same CLI interface. No changes to become: true, become_method: sudo, or ansible_become_password are needed. Your existing playbooks work without modification.

Should I switch existing Ubuntu 24.04 hosts to sudo-rs?

sudo-rs is available as a package on Ubuntu 24.04 and later. For security-sensitive environments, it's worth the switch. Test your sudoers configuration first — sudo-rs intentionally doesn't implement some rarely-used sudoers features that are common sources of security issues.

How do I use APT rollback in Ansible error handling?

Use Ansible's block/rescue pattern combined with apt history-rollback. Record the transaction ID before your package block, then call rollback in the rescue section if any task fails. See the safe deployment playbook above for the full pattern.

Will my X11-dependent Ansible roles break on Ubuntu 26.04?

If your roles install xorg, xserver-xorg, or configure X11 settings, they'll fail or produce warnings on Ubuntu 26.04. Audit roles for X11 dependencies and create Wayland alternatives. The xwayland package provides compatibility for legacy X11 applications that run under Wayland.

Is Ubuntu 26.04 safe for production Ansible managed nodes?

Yes. As an LTS release with 5 years of standard support (10 with Ubuntu Pro until 2036), Ubuntu 26.04 is designed for production. The sudo-rs change actually improves security posture. Test your playbooks in staging first, particularly around any X11 or custom sudo configurations.

Conclusion

Ubuntu 26.04 LTS "Resolute Raccoon" brings meaningful changes for automation engineers. sudo-rs eliminates an entire class of privilege escalation vulnerabilities in the most critical binary on your systems. APT 3.2 rollback gives you a safety net for package operations. The Wayland-only shift requires updating desktop provisioning playbooks. And ROCm in default repos simplifies GPU compute automation from a multi-step process to a single apt install. Validate sudo-rs and APT rollback first — they're the changes that impact every host you manage.

Related ArticlesHow to Install Ansible on UbuntuAnsible apt Module: Complete Package Management GuideAnsible become: Privilege Escalation Complete GuideAnsible UFW Firewall Module GuideAnsible Systemd Module: Manage Services on Linux

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home